Detecting Exchange Online Shared Mailboxes That Need Licenses

Shared Mailbox License Only Needed Under Three Specific Conditions

Exchange Online shared mailboxes don’t need licenses unless they:

  • Exceed 50 GB in mailbox size.
  • Have an archive mailbox. This allows the Managed Folder Assistant to offload older items through an Exchange Online mailbox retention policy.
  • Are on litigation hold. As Exchange Online won’t allow an administrator to put a shared mailbox on litigation hold, this implies that the mailbox originally belonged to a user before conversion to a shared mailbox. Organizations sometimes preserve the mailboxes of ex-employees by converting them into shared mailboxes. In many cases, making the mailboxes inactive is a better choice.

In these cases, Microsoft requires the shared mailbox to have an Exchange Online Plan 2 license, which you can assign in the Microsoft 365 admin center or with PowerShell. If you don’t have an Exchange Online Plan 2 license, you can also use a license like Office 365 E3 that contains the Exchange Online Plan 2 service plan. In effect, you assign the license to the Azure AD account that Exchange Online creates automatically for the shared mailbox. Azure AD doesn’t disable the account and it works like other Azure AD accounts, but you should never sign into it.

For instance, to assign an Office 365 E3 license to a shared mailbox, you could run these commands:

$M = Get-ExoMailbox -RecipientTypeDetails SharedMailbox -Identity 'Customer Services'
Set-MgUserLicense -UserId $M.ExternalDirectoryObjectId -Addlicenses @{SkuId = '6fd2c87f-b296-42f0-b197-1e91e994b900'} -RemoveLicenses @()

See this page for details of the identifiers for Microsoft 365 licenses and this article for more information about how to manage licenses for Azure AD accounts with PowerShell.

Finding Shared Mailboxes that Need Licenses

Microsoft doesn’t actively block shared mailboxes that breach the licensing conditions. However, it’s a good idea to make sure that all the shared mailboxes in a tenant have licenses when required. The shared mailboxes section in the Microsoft 365 admin center gives no hint of when mailboxes need licenses, but some processing with PowerShell should do the trick.

The steps seem easy enough:

  • Find all shared mailboxes.
  • Check each mailbox to see if it has an archive, exceeds 50 GB, or is on litigation hold.
  • Check the mailbox’s account to see if it has an Exchange Online Plan 2 license.
  • Report what we find.

The full script is available from GitHub. The main loop for each mailbox is below.

Write-Host ("Processing mailbox {0} ({1} of {2})" -f $M.DisplayName, $i, $Mbx.count)
   $NeedsLicense = $False; $ArchiveStatus = $Null; $ExoArchiveLicense = $False; $ExoPlan2License = $False; $LicenseStatus = "OK"; $ArchiveStats = $Null
   $MailboxOverSize = $False; $ExoPlan1License = $False; $ArchiveMbxSize = $Null
   $MbxStats = Get-ExoMailboxStatistics -Identity $M.ExternalDirectoryObjectId
   $MbxSize = [math]::Round(($MbxStats.TotalItemSize.Value.toBytes() / 1GB),5)
   If ($M.ArchiveStatus -ne "None") { #Mailbox has an archive
      $ArchiveStats = Get-ExoMailboxStatistics -Archive -Identity $M.ExternalDirectoryObjectId 
      If ($ArchiveStats) {       
          $ArchiveMbxSize = [math]::Round(($ArchiveStats.TotalItemSize.Value.toBytes() / 1GB),5)}
   $Licenses = Get-MgUserLicenseDetail -UserId $M.ExternalDirectoryObjectId | Select-Object -ExpandProperty ServicePlans | Where-Object {$_.ProvisioningStatus -eq "Success"} | Sort ServicePlanId -Unique
   If ($Licenses) { # The mailbox has some licenses
     If ($ExoArchiveAddOn -in $Licenses.ServicePlanId) { $ExoArchiveLicense = $True }
     If ($ExoPlan2 -in $Licenses.ServicePlanId) { $ExoPlan2License = $True }
     If ($ExoPlan1 -in $Licenses.ServicePlanId) { $ExpPlan1License = $True }

  # Mailbox has an archive and it doesn't have an Exchange Online Plan 2 license, unless it has Exchange Online Plan 1 and the
  # archive add-on
  If ($M.ArchiveStatus -eq "Active") {
    If ($ExoPlan2License -eq $False) { $NeedsLicense = $True }
    If ($ExoPlan1License -eq $True -and $ExoArchiveLicense -eq $True) { $NeedsLicense = $False }
  # Mailbox is on litigation hold and it doesn't have an Exchange Online Plan 2 license
  If ($M.LitigationHoldEnabled -eq $True -and $ExoPlan2License -eq $False)  { $NeedsLicense = $True }
  # Mailbox is over the 50GB limit for unlicensed shared mailboxes
  If ($MbxStats.TotalItemSize.value -gt $MailboxLimit) { # Exceeds mailbox size for unlicensed shared mailboxes
      $MailboxOverSize = $True
      $NeedsLicense = $True}

Analyzing the Outcome

The code is rough and ready but serves its purpose (which is always a good state for a PowerShell script to be in). At the end of the processing, the script generates some basic statistics, including highlighting any shared mailboxes it thinks need licenses together with the reason why (Figure 1).

Reporting shared mailboxes that need licenses

shared mailbox license
Figure 1: Detecting if a shared mailbox license is needed

Figure 2 shows the kind of information the script gathers for the shared mailboxes. In this case, I had assigned a license to one of the two mailboxes highlighted in Figure 1, so only one mailbox shows up as still needing a license.

Statistics for shared mailboxes
Figure 2: Statistics for shared mailbox licenses

Shared Mailboxes Don’t Need Much Attention

Usually, shared mailboxes don’t need much attention. They function like they’ve always functioned because Microsoft hasn’t changed their functionality much over the past few years. However, some shared mailboxes might need licenses. It’s best to find and rectify the issue before you run into problems. Unlicensed shared mailboxes that exceed their 50 GB allocation can’t send any new emails until they receive a license and will eventually stop receiving inbound messages. That’s a sad situation to be in!

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.

5 Replies to “Detecting Exchange Online Shared Mailboxes That Need Licenses”

  1. Hi Tony,
    Good day.

    I tried this script and got below error:
    Get-MgUserLicenseDetail : The term ‘Get-MgUserLicenseDetail’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try

  2. I was back down this rabit hole today…

    “If you want to apply advanced features such as *Microsoft Defender for Office 365*, Microsoft Purview eDiscovery (Premium), or retention policies, the shared mailbox must be licensed for such feature(s).”

    It’s totally bizard that you can’t enable MDO for a shared mailbox as it doen’t have a exchange license but you will likely require it. Some questions are likely better left unasked…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.